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1 Introduction 

Abella [3] is an interactive system for reasoning about aspects of object lan- 
guages that have been formally presented through recursive rules based on syn- 
tactic structure. Abella utilizes a two-level logic approach to specification and 
reasoning. One level is defined by a specification logic which supports a trans- 
parent encoding of structural semantics rules and also enables their execution. 
The second level, called the reasoning logic, embeds the specification logic and 
allows the development of proofs of properties about specifications. An impor- 
tant characteristic of both logics is that they exploit the A-tree syntax approach 
to treating binding in object languages. Amongst other things, Abella has been 
used to prove normalizability properties of the A-calculus, cut admissibility for 
a sequent calculus and type uniqueness and subject reduction properties. This 
paper discusses the logical foundations of Abella, outlines the style of theorem 
proving that it supports and finally describes some of its recent applications. 

2 The Logic Underlying Abella 

Abella is based on Q, an intuitionistic, predicative, higher-order logic with fixed- 
point definitions for atomic predicates and with natural number induction [4]. 

Representing binding. Q uses the X-tree syntax approach to representing syntactic 
structures [7J, which allows object level binding to be represented using meta- 
level abstraction. Thus common notions related to binding such as a-equivalence 
and capture-avoiding substitution are built into the logic, and the encodings of 
object languages do not need to implement such features. 

To reason over A-tree syntax, Q uses the V quantifier which represents a 
notion of generic judgment |9 . A formula Vx.F is true if F is true for each x 
in a generic way, i.e., when nothing is assumed about any x. This is a stronger 
statement than Mx.F which says that F is true for all values for x but allows 
this to be shown in different ways for different values. 

For the logic Q, we assume the following two properties of V: 

Vx.Vy.-F 1 x y = Vj/.Vx.-F x y \7x.F = F if x not free in F 
A natural proof-theoretic treatment for this quantifier is to use nominal constants 
to instantiate V-bound variables [16] . Specifically, the proof rules for V are 
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where a is a nominal constant which does not appear in the formula underneath 
the V quantifier. Due to the equivalence of permuting V quantifiers, nominal 
constants must be treated as permutable, which is captured by the initial rule. 

tt.B = B' . , 

r,B\-B' * 

Here n is a permutation of nominal constants. 

Definitions. The logic Q supports fixed-point definitions of atomic predicates. 
These definitions are specified as clauses of the form Vx.(V~z.H) = B where the 
head H is an atomic predicate. This notion of definition is extended from pre- 
vious notions (e.g., see |9]) by admitting the V-quantifier in the head. Roughly, 
when such a definition is used, in ways to be explained soon, these V-quantified 
variables become instantiated with nominal constants from the term on which 
the definition is used. The instantiations for the universal variables x may contain 
any nominal constants not assigned to the variables z. Thus V quantification in 
the head of a definition allows us to restrict certain pieces of syntax to be nominal 
constants and to state dependency information for those nominal constants. 

Two examples hint at the expressiveness of our extended form of definitions. 
First, we can define a predicate name E which holds only when E is a nominal 
constant. Second, we can define a predicate fresh X E which holds only when 
X is a nominal constant which does not occur in E. 

(Vi.name x) = T VE. [Vx.fresh x E) = T 

Note that the order of quantification in fresh enforces the freshness condition. 

Definitions can be used in both a positive and negative fashion. Positively, 
definitions are used to derive an atomic judgment, i.e., to show a predicate 
holds on particular values. This use corresponds to unfolding a definition and is 
similar to back-chaining. Negatively, an atomic judgment can be decomposed in 
a case analysis-like way based on a closed- world reading of definitions. In this 
case, the atomic judgment is unified with the head of each definitional clause, 
where eigenvariables are treated as instantiatable. Also, both the positive and 
negative uses of definitions consider permutations of nominal constants in order 
to allow the V-bound variables ~z to range over any nominal constants. A precise 
presentation of these rules, which is provided in Gacek et al. [4], essentially 
amounts to introduction rules for atomic judgments on the right and left sides 
of sequents in a sequent calculus based presentation of the logic. 

Induction. Q supports induction over natural numbers. By augmenting the pred- 
icates being defined with a natural number argument, this induction can serve as 
a method of proof based on the length of a bottom-up evaluation of a definition. 

3 The Structure of Abella 

The architecture of Abella has two distinguishing characteristics. First, Abella 
is oriented towards the use of a specific (executable) specification logic whose 
proof-theoretic structure is encoded via definitions in Q. Second, Abella provides 
tactics for proof construction that embody special knowledge of the specification 
logic. We discuss these aspects and their impact in more detail below. 
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Vm, n, a, b[ofm (arr ab)Aofna D of (app m n) b] 
Vr, a, 6[Va;[of x a D of (r x) b] D of (abs a r) (arr a. b)] 
Fig. 1. Second-order hereditary Harrop formulas for typing 
3.1 Specification Logic 

It is possible to encode object language descriptions directly in definitions in Q, 
but there are two disadvantages to doing so: the resulting definitions may not be 
executable and there are common patterns in specifications with A-tree syntax 
which we would like to take advantage of. We address these issues by selecting 
a specification logic which has the features that the Q lacks, and embedding the 
evaluation rules of this specification logic instead into Q. Object languages are 
then encoded through descriptions in the specification logic [6]. 

The specification logic of Abella is second-order hereditary Harrop formu- 
las [5] with support for A-tree syntax. This allows a transparent encoding of 
structural operational semantics rules which operate on objects with binding. 
For example, consider the simply-typed A-calculus where types are either a base 
type i or arrow types constructed with arr. Terms are encoded with the con- 
structors app and abs. The constructor abs takes two arguments: the type of 
the variable being abstracted and the body of the function. Rather than having 
a constructor for variables, the body argument to abs is an abstraction in our 
specification logic, thus object level binding is represented by the specification 
logic binding. For example, the term (Xf:i — » i.(Xx:i.(f x))) is encoded as 

abs (arr i i) (A/. abs i (Ax. app / x)). 

In the latter term, A denotes an abstraction in the specification logic. Given this 
representation, the typing judgment of m t is defined in Figure[TJ Note that these 
rules do not maintain an explicit context for typing assumptions, instead using a 
hypothetical judgment to represent assumptions. Also, there is no side-condition 
in the rule for typing abstractions to ensure the variable x does not yet occur in 
the typing context, since instead of using a particular x for recording a typing 
assumption, we quantify over all x. 

Our specification of typing assignment is executable. More generally, the 
Abella specification logic is a subset of the language AProlog [TI] which can be 
compiled and executed efficiently |12j . This enables the animation of specifica- 
tions, which is convenient for assessing specifications before attempting to prove 
properties over them. This also allows specifications to be used as testing oracles 
when developing full implementations. 

The evaluation rules of our specification logic can be encoded as a definition 
in Q. A particular specification is then encoded in a separate definition which 
is used by the definition of evaluation in order to realize back-chaining over 
specification clauses. Reasoning over a specification is realized by reasoning over 
its evaluation via the definition of the specification logic. Abella takes this further 
and is customized towards the specification logic. For example, the context of 
hypothetical judgments in our specification logic admits weakening, contraction, 
and permutation, all of which are provable in Q. Abella automatically uses this 
meta-level property of the specification logic during reasoning. Details on the 
benefits of this approach to reasoning are available in Gacek et al. [5] . 
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3.2 Tactics 



The user constructs proofs in Abella by applying tactics which correspond to 
high-level reasoning steps. The collection of tactics can be grouped into those 
that generically orchestrate the rules of Q and those that correspond to meta- 
properties of the specification logic. We discuss these classes in more detail below. 

Generic tactics. The majority of tactics in Abella correspond directly to infer- 
ence rules in Q. The most common tactics from this group are the ones which 
perform induction, introduce variables and hypotheses, conduct case analysis, 
apply lemmas, and build results from hypotheses. In the examples suite dis- 
tributed with Abella, these five tactics make up more than 90% of all tactic 
usages. The remaining generic tactics are for tasks such as splitting a goal of 
the form G\ A G2 into two separate goals for G\ and G2 , or for instantiating the 
quantifier in a goal of the form 3x.G. 

Specification logic tactics. Since our specification logic is encoded in Q, we can 
formally prove meta-level properties for it. Once such properties are proved, their 
use in proofs can be built into tactics. Two important properties that Abella uses 
in this way are instantiation and cut admissibility. In detail, negative uses of the 
specification logic V quantifier are represented in Q as nominal constants {i.e., 
the V quantifier), and the instantiation tactic allows such nominal constants to 
be instantiated with specific terms. The cut tactic allows hypothetical judgments 
to be relieved by showing that they are themselves provable. 

4 Implementation 

Abella is implemented in OCaml. The most sophisticated component of this 
implementation is higher-order unification which is a fundamental part of the 
logic Q. It underlies how case analysis is performed, and in the implementation, 
unification is used to decide when tactics apply and to determine their result. 
Thus an efficient implementation of higher-order unification is central to an 
efficient prover. For this, Abella uses the the higher-order pattern unification 
package of Nadathur and Linnell [TU]- We have also extended this package to 
deal with the particular features and consequences of reasoning in Q. 

Treatment of nominal constants. As their name suggests, nominal constants can 
be treated very similarly to constants for most of the unification algorithm, but 
there are two key differences. First, while traditional constants can appear in the 
instantiation of variables, nominal constants cannot appear in the instantiation 
of variables. Thus dependency information on nominal constants is tracked via 
explicit raising of variables. Second, nominal constants can be permuted when 
determining unifiability. However, even in our most sophisticated examples the 
number of nominal constants appearing at the same time has been at most two. 
Thus, naive approaches to handling permutability of nominal constants have 
sufficed and there has been little need to develop sophisticated algorithms. 
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Simple extensions. The treatment of case analysis via unification for eigenvari- 
ables creates unification problems which fall outside of the higher-order pattern 
unification fragment, yet still have most general unifiers. For example, consider 
the clause for /3-contraction in the A-calculus: 

step (app (abs R) M) (R M). 

Case analysis on a hypotheses of the form step A B will result in the attempt to 
solve the unification problem B — R M where B, R, and M are all instantiatable. 
This is outside of the higher-order pattern unification fragment since R is applied 
to an instantiatable variable, but there is a clear most general unifier. When 
nominal constants are present, this situation is slightly more complicated with 
unification problems such as B x = R M x or B x = R (M x), where a; is a 
nominal constant. The result is the same, however, that a most general unifier 
exists and is easy to find. 

5 Examples 

This section briefly describes sample reasoning tasks we have conducted in 
Abella. The detailed proofs are available in the distribution of Abella [3J. 

Results from the X-calculus. Over untyped A-terms, we have shown the equiva- 
lence of big-step and small-step evaluation, preservation of typing for both forms 
of evaluation, and determinacy for both forms of evaluation. We have shown that 
the A-terms can be disjointly partitioned into normal and non-normal forms. 
Over simply-typed A-terms, we have shown that typing assignments are unique. 

Cut admissibility. We have shown that the cut rule is admissible for a sequent 
calculus with implication and conjunction. The representation of sequents in our 
specification logic used hypothetical judgments to represent hypotheses in the 
sequent. This allowed the cut admissibility proof to take advantage of Abella's 
built-in treatment of meta-properties of the specification logic. 

The POPLmark challenge. The POPLmark challenge 1 is a selection of prob- 
lems which highlight the traditional difficulties in reasoning over systems which 
manipulate objects with binding. The particular tasks of the challenge involve 
reasoning about evaluation, typing, and subtyping for F< : , a A-calculus with 
bounded subtype polymorphism. We have solved parts la and 2a of this chal- 
lenge using Abella, which represent the fundamental reasoning tasks involving 
objects with binding. 

Proving normalizability a la Tait. We have shown that all closed terms in the 
call-by- value, simply-typed A-calculus are normalizable using the logical rela- 
tions argument in the style of Tait [14] . Fundamental in this proof was the 
encoding of arbitrary cascading substitutions which allows one to consider all 
closed instantiations for an open A-term. Encoding and reasoning over this form 
of substitution makes essential use of the extended form of definitions in Q. 
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6 Future and Related Work 

Induction and coinduction The logic Q currently supports induction on natural 
numbers. Similar logics have been extended to support structural induction and 
coinduction on definitions [15]. Already, the implementation of Abella has sup- 
port for these features. A paper which describes the extended logic supporting 
these features is in preparation. 

User programmability. Tactics-based theorem provers often support tacticals 
which allow users to compose tactics in useful ways. Some systems even go 
beyond this and offer a full programming language for creating custom tactics. 
We would like to extend Abella with such features. 

Proof search. Many proofs in Abella follow a straightforward pattern of essen- 
tially induction, case analysis, and building from hypotheses. We would like to 
extend Abella to perform these types of proofs automatically. Recent results on 
focusing in similar logics may offer some insight into a disciplined approach to 
automated proof search [SJ. 

Related work. A closely related system is Twelf Q3] which is based on a depen- 
dency typed A-calculus for specification. Controlling for dependent types, the 
most significant difference is that our meta-logic is significantly richer than the 
one in Twelf. Also related is the Nominal package [17] for Isabelle/HOL which 
allows for reasoning over a-equivalence classes. This approach leverages on ex- 
isting theorem proving work, but does not address the full problem of reasoning 
with binding. In particular, all work related to substitution is left to the user. A 
more detailed comparison with these works is available in Gacek et al. [5] . 
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